Self-Adaptive Role-Based Access Control for Business Processes

© 2017 IEEE. We present an approach for dynamically reconfiguring the role-based access control (RBAC) of information systems running business processes, to protect them against insider threats. The new approach uses business process execution traces and stochastic model checking to establish confidence intervals for key measurable attributes of user behaviour, and thus to identify and adaptively demote users who misuse their access permissions maliciously or accidentally. We implemented and evaluated the approach and its policy specification formalism for a real IT support business process, showing their ability to express and apply a broad range of self-adaptive RBAC policies

An Access Control and Trust Management Framework for Loosely-Coupled Multidomain Environment

Multidomain environments where multiple organizations interoperate with each other are becoming a reality as can be seen in emerging Internet-based enterprise applications. Access control to ensure secure interoperation in such an environment is a crucial challenge. A multidomain environment can be categorized as tightly-coupled and loosely-coupled. The access control challenges in the loosely-coupled environment have not been studied adequately in the literature. In a loosely-coupled environment, different domains do not know each other before they interoperate. Therefore, traditional approaches based on users' identities cannot be applied directly. Motivated by this, researchers have developed several attribute-based authorization approaches to dynamically build trust between previously unknown domains. However, these approaches all focus on building trust between individual requesting users and the resource providing domain. We demonstrate that such approaches are inefficient when the requests are issued by a set of users assigned to a functional role in the organization. Moreover, preserving principle of security has long been recognized as a challenging problem when facilitating interoperations. Existing research work has mainly focused on solving this problem only in a tightly-coupled environment where a global policy is used to preserve the principle of security. In this thesis, we propose a role-based access control and trust management framework for loosely-coupled environments. In particular, we allow the users to specify the interoperation requests in terms of requested permissions and propose several role mapping algorithms to map the requested permissions into roles in the resource providing domain. Then, we propose a Simplify algorithm to simplify the distributed proof procedures when a set of requests are issued according to the functions of some roles in the requesting domain. Our experiments show that our Simplify algorithm significantly simplifies such procedures when the total number of credentials in the environment is sufficiently large, which is quite common in practical applications. Finally, we propose a novel policy integration approach using the special semantics of hybrid role hierarchy to preserve the principle of security. At the end of this dissertation a brief discussion of implemented prototype of our framework is present

Observation-enhanced verification of operational processes

Operational processes are at the core of many organisations. The failure and misuse of these processes can cause significant economic losses to businesses or, in the worst cases, endanger human life. As a result, there has been significant research effort focused on the development of techniques and tools for the model-based analysis and verification of reliability, performance and quality-of-service properties of processes. Constructing models which accurately represent the behaviour of real-world systems is very challenging. The complexity and stochastic nature of real-world phenomena requires the use of modelling assumptions which introduce errors that can significantly impact the results of model-based analysis. Where inaccurate analyses are used as the basis of engineering or business decisions, the consequences can be catastrophic. Many operational processes are now routinely instrumented and capture information about component interactions and the behaviour of human operators. This thesis introduces a set of tool-supported techniques which exploit these logs in conjunction with tried and tested probabilistic model checking. This produces Markov models and formal analysis techniques which more accurately capture process behaviours and improve the quality of model-based analysis for operational processes. We show how observation data can be used to improve the modelling and analysis of continuous time systems by refining continuous-time Markov models (CTMCs) to more accurately reflect real-world behaviours. We apply the tools and techniques developed to real-world processes and demonstrate how we may avoid the invalid decisions which arise from traditional CTMC modelling and analysis techniques. We also show how observation-enhanced discrete time Markov models may be used to characterise the behaviour of users within an operational process. The self-adaptive role based access control approach we develop uses a formal definition of adaptation policies to identify potential threats in a real-world IT support system and mitigates risks to the system

Policy analysis for self-administrated role-based access control

Current techniques for security analysis of administrative role-based access control (ARBAC) policies restrict themselves to the separate administration assumption that essentially separates administrative roles from regular ones. The naive algorithm of tracking all users is all that is known for the security analysis of ARBAC policies without separate administration, and the state space explosion that this results in precludes building effective tools. In contrast, the separate administration assumption greatly simplifies the analysis since it makes it sufficient to track only one user at a time. However, separation limits the expressiveness of the models and restricts modeling distributed administrative control. In this paper, we undertake a fundamental study of analysis of ARBAC policies without the separate administration restriction, and show that analysis algorithms can be built that track only a bounded number of users, where the bound depends only on the number of administrative roles in the system. Using this fundamental insight paves the way for us to design an involved heuristic to further tame the state space explosion in practical systems. Our results are also very effective when applied on policies designed under the separate administration restriction. We implement our techniques and report on experiments conducted on several realistic case studies

Dynamic Access Control in Industry 4.0 Systems

Industry 4.0 enacts ad-hoc cooperation between machines, humans, and organizations in supply and production chains. The cooperation goes beyond rigid hierarchical process structures and increases the levels of efficiency, customization, and individualisation of end-products. Efficient processing and cooperation requires exploiting various sensor and process data and sharing them across various entities including computer systems, machines, mobile devices, humans, and organisations. Access control is a common security mechanism to control data sharing between involved parties. However, access control to virtual resources is not sufficient in presence of Industry 4.0 because physical access has a considerable effect on the protection of information and systems. In addition, access control mechanisms have to become capable of handling dynamically changing situations arising from ad-hoc horizontal cooperation or changes in the environment of Industry 4.0 systems. Established access control mechanisms do not consider dynamic changes and the combination with physical access control yet. Approaches trying to address these shortcomings exist but often do not consider how to get information such as the sensitivity of exchanged information. This chapter proposes a novel approach to control physical and virtual access tied to the dynamics of custom product engineering, hence, establishing confidentiality in ad-hoc horizontal processes. The approach combines static design-time analyses to discover data properties with a dynamic runtime access control approach that evaluates policies protecting virtual and physical assets. The runtime part uses data properties derived from the static design-time analysis, as well as the environment or system status to decide about access

COMPLEXIDADE RACIAL: mitos e realidades em duas freguesias de Salvador em 1775

A partir da análise minuciosa dos dados do Censo de 1775 sobre duas freguesias de Salvador (São Pedro e Penha), são colocados em questão cinco mitos dominantes sobre a escravidão no imaginário nacional: (1) o domínio total do trabalho escravo na sociedade; (2) uma sociedade formada apenas por senhores e escravos; (3) uma sociedade constituída, por um lado, por um segmento de dominantes e exploradores e, por outro, por dominados e explorados; (4) uma sociedade urbana segregada; (5) uma sociedade patriarcal, em que as mulheres eram submissas e economicamente subordinadas. Os resultados do censo, portanto, levantam novas questões para o entendimento da complexidade do nosso passado, o que ajuda a entender a manutenção das extremas desigualdades atuais, além de evidenciar a existência de diferenciações espaciais na cidade. PALAVRAS-CHAVE: escravos, libertos, agregados, freguesias, Salvador.RACIAL COMPLEXITY: myth and reality in two Salvador freguesias in 1775 Pedro de Almeida Vasconcelos The meticulous analysis of data from the Census of 1775 on two freguesias of Salvador (São Pedro and Penha), bring doubt to five dominant myths on slavery in the national imaginary: (1) the exclusivity of slave work in the society; (2) a society just formed by slave owners and slaves; (3) a society where, on one side, live a segment of dominant exploiters and, on the other, dominated explored people; (4) a segregated urban society; (5) a patriarchal society, in which women were submissive and economically subordinates. The results of the census, therefore, bring new subjects to understanding the complexity of our past, what helps to understand the maintenance of the extreme current inequalities, besides showing the existence of space differentiations in the city. KEYWORDS: slaves, freed men, agregados, freguesias, Salvador.COMPLEXITÉ RACIALE: mythes et réalités dans deux paroisses de Salvador en 1775 Pedro de Almeida Vasconcelos A partir de l’analyse minutieuse des données du recensement de 1775 concernant deux paroisses de Salvador (São Pedro et Penha) sont remis en question cinq mythes dominants à propos de l’esclavage dans l’imaginaire national: (1) l’exclusivité du travail esclave dans la société; (2) une société formée uniquement de seigneurs et d’esclaves; (3) une société constituée d’une part par un segment de dominants et d’exploiteurs et d’autre part de dominés et d’exploités; (4) une société urbaine ségréguée; (5) une société patriarcale où les femmes étaient soumises et subordonnées économiquement. Les résultats de ce recensement soulèvent donc de nouvelles questions pour la compréhension de la complexité de notre passé, ceci permet de comprendre le maintien d’extrêmes inégalités actuelles et de mettre aussi en évidence l’existence de différenciations spatiales dans la ville. MOTS-CLÉS: esclaves, personnes libres, domestiques, paroisses, Salvador. Publicação Online do Caderno CRH: http://www.cadernocrh.ufba.b

A framework in support of emergency management for specified and unspecified emergencies.

missin